b'Semi-Annual Report to Congress\nSkip Navigation.\nNARA\nBlogs\nBookmark/Share\nContact Us\nSearch\nOffice of the Inspector General (OIG)\nHome >\nOIG >\nReports to Congress >Semi-Annual Report to Congress\nOIG Reports\nReports and Managagement Letters\nFY 2014\nFY 2013\nFY 2012\nFY 2011\nFY 2010\nFY 2009\nFY 2008\nFY 2007\nFY 2006\nSemi-annual Reports to Congress\nAnnual Audit Plan\nFAIR Act Report\nPeer Review Reports\nOIG Hotline\nOIG semi-Annual Report to Congress:\nApril 1, 2006 -September 30, 2006\nTable of Contents\nForeword\nExecutive Summary\nIntroduction\nOffice of Inspector General Activities\nAudits\nInvestigations\nTop Ten Management Challenges\nReporting Requirements\nForeword\nThe National Archives and Records Administration (NARA) is an agency of approximately\n2,900 employees with a budget approaching $340 million. Given NARA\'s relatively\nmodest size and budget, we are perceived perhaps as just a single thread in\nthe tapestry that constitutes the entire Federal Government. This thread, however,\nruns the full length and breadth of our nation.\nNARA holds records, artifacts, and images that constitute the essential evidence of our democracy, and who we are as Americans.  Many of the records amongst our millions of cubic feet of holdings are intrinsically of archival significance; sadly they are also highly marketable if illicitly removed from our holdings.  We hold retirees\' military and civilian records and other records that contain vast troves of private information that could and have been used for identity theft and other nefarious purposes.  NARA maintains extensive holdings of highly classified records including those that are most sensitive to our national security.   The high risk of compromise to elements of these holdings requires continual vigilance to ensure proper control of them.  We have begun to accession and hold the initial elements of an enormous and growing wave of electronic records that in their digital state are vulnerable to exploitation by persons or entities who gain unauthorized access to them.  NARA, as any other agency, also maintains large quantities of assets and enters into major procurements that require audit and investigative oversight to mitigate the potential for fraud.\nAs the Inspector General, my statutory duty is to provide audit and investigative coverage to this entire agency; detect and report upon waste, fraud, abuse, and mismanagement; and offer recommendations and suggestions designed to bring effectiveness and efficiency of operations to NARA.  By accepting the position of Inspector General six years\'ago, I accepted this responsibility and sought to secure the capabilities and resources to fully honor this challenge.  I have used semiannual reports, budget submissions, and other vehicles to seek additional resources for my office while fully recognizing that NARA is an agency that has serious budget challenges.  I invite Congress and the Executive Branch to become more intimately involved in the challenges this office faces as we attempt to honor the provisions of the Inspector General Act passed by Congress and signed into law by the President.\nPaul Brachfeld\nInspector General\nTop of Page\nExecutive Summary\nThis is the 36th Semiannual Report to the Congress summarizing the activities\nand accomplishments of the National Archives and Records Administration (NARA)\nOffice of Inspector General (OIG). A summary of NARA\'s top challenges is provided\nunder the section titled "Top Ten Management Challenges." The highlights\nof our major functions are summarized below.\nAudits\nIn this reporting period, the Audit Division continued to examine the security\nof NARA\'s Information Technology (IT) systems and assess economy and efficiency\nof NARA\'s programs. This work had positive impact upon agency operations and\nrelated controls in these critical areas. Recommendations directed to NARA officials\nwill, upon adoption, translate into reduced risk for the agency and increased\nlevels of security and control over NARA\'s financial assets, programs, and operations.\nWe issued the following audit reports during the reporting period:\nReview of NARA\'s Information Security Program.  This audit, which sought to determine whether NARA was making satisfactory progress establishing an information security program that included appropriate controls required by Federal legislation, revealed weaknesses in NARA\'s (a) network perimeter/firewall security; (b) computer network operating system software and electronic message software; (c) computer security incident response capability; (d) recovery strategy for quickly and effectively restoring mission critical information technology systems after a severe service disruption or disaster; and (e) the security certification and accreditation process.  These weaknesses, paired with information security vulnerabilities previously identified and not fully addressed in a fiscal year 2000 audit, result in a material weakness in the current NARA Information Security Program.  We made 12 recommendations that, when implemented by management, will assist the agency in establishing an information security program that meets Federal legislation requirements. (Audit Report #06-09, dated August 6, 2009.)\nAudit of NARA\'s System Administrator Rights and Control. Our audit, which assessed whether NARA had instituted appropriate controls, oversight, policies, and procedures over system administrator accounts to ensure that NARA\'systems and information is properly secured, disclosed that NARA\'s controls over system administrator accounts were weak and needed immediate improvement.  The inadequate controls governing system administrator rights and controls resulted in increased risk of system degradation due to potential mismanagement, human error, or system compromise by persons seeking to harm NARA\'s servers and infrastructure devices.  We made nine recommendations to management to improve NARA\'s system administrator rights and controls and enhance controls over information technology security.  Management concurred with all but one recommendation. (Audit Report #06-11, dated September 27, 2006.)\nEvaluation of NARA\'s Affiliated Archives Program. Our review found that while the program meets its intended goal and function, opportunities exist to improve upon and expand the program to provide the American public with even greater access to NARA records.  Further, our review disclosed that while NARA has improved management oversight over the program, additional measures can strengthen internal controls to ensure that records are protected from damage and loss.  Specifically, our review disclosed that (1) outdated Memorandums of Understanding (MOU) exist that govern the relationships between NARA and the respective affiliates resulting in inconsistent requirements and standards for housing and maintaining holdings at individual affiliates; and (2) with the exception of one of the existing eight affiliated archives, all failed to meet the current NARA Archival Storage Standards.  To address this condition, we made six recommendations that, upon adoption, will help ensure that NARA records are protected while improving access through additional partnerships.  Management concurred with all but one recommendation. (Audit Report #06-10, dated August 9, 2006.)\nOIG Monitoring of the Novell Netware/GroupWise Upgrade Project. Our review, which assessed whether the project was meeting cost and schedule requirements and whether management was taking timely action to correct any actual or potential problems with project performance, disclosed that the project was proceeding on schedule.  In fact, the migration effort at NARA facilities was scheduled to be completed in less time than originally estimated.  As of June 13, 2006, the migration effort was completed at 28.6 percent of NARA facilities.  No significant problems were noted.(Audit Report #06-14, dated June 20, 2006.)\nOIG Monitoring of the Novell Netware/GroupWise Upgrade Project (2nd Report).\nOur second report on the status of the Novell NetWare/GroupWise Upgrade Project\nrevealed that the project has continued to progress in a satisfactory manner.\nHowever, we believe that upgrading the operating system and electronic mail\nsoftware to version 6.5 constitutes only an interim measure for solving the\nagency\'s operating system and electronic mail software problems. This opinion\nis also shared by Gartner, a large information technology research and advisory\nfirm, which has stated its belief that the Novell Corporation will continue\nto support the Netware operating system software, version 6.5, only until\n2008. At that point, NARA will find itself in the same position that it is\ncurrently working to get out of, that is, running obsolete network software.\nAs a result, planning for the next software upgrade is critical and should\nbegin as soon as the current upgrade project is completed.(Audit\nReport #06-15, dated September 11, 2006.)\nInvestigations\nDuring this reporting period, the Office of Investigations opened 20 investigations, closed 6 investigations, recovered 12 documents, and executed 4 search warrants.  The Office of Investigations received 162 complaints, and closed 156 complaints.  There are 20 complaints and 36 investigations that remain open.\nThe Office of Investigation completed investigations in areas including:\nAlleged Theft of Indian Records\nPossession of Illicit Drugs and a Firearm in the National Archives Building\nCompromise of Classified Material\nEmployee and Contractor Misconduct at the FDR Library\nAlleged Theft from the Cafe at the National Archives at College Park\nWe continue to report that an insufficient number of investigative agents continue to adversely impact our ability to perform components of our core mission and provide support to NARA.  Furthermore, we remain constrained in our ability to conduct proactive investigative activity and training.\nTop of Page\nManagement Assistance\nDuring the reporting period, the OIG\nWorked with the Archivist of the United States and his general counsel to\nresolve issues related to publishing OIG audit reports on the Internet. The\nOIG continues to work with the general counsel\'s office and the Archivist\non Privacy Act matters as they relate to OIG investigative reports. After\nconsulting with NARA, the OIG endorsed amendments to the Code of Federal Regulations\nallowing NARA the ability to inspect employees\' personal property on-site.\nThe OIG also prepared and forwarded two Freedom of Information Act appeal\npackages to the Archivist.\nEntered into a Memorandum of Agreement with NARA\'s computer security group that allows the OIG\'s Office of Investigations to use existing equipment in NARA\'s inventory for computer forensics analysis.\nWorked with NARA\'s Designated Agency Ethics Official (DAEO) on various ethics matters.\nProvided input for NARA\'s Information Security Program Handbook regarding handling incidents involving classified material, particularly when notification of the OIG is necessary.\nContinued the OIG\'s role in the recovery of lost, stolen, and missing holdings at the National Archives.  In response to a request from management for comment, the OIG developed a detailed process incorporating NARA management, archival experts, the Office of General Counsel, and the OIG charting the step-by-step process of item recovery from intake to recovery.  During this period, NARA Directive 1462, Recovery of Archival Materials, went into effect.  To further facilitate this directive, the OIG is in the process of selecting a staff archivist to provide subject-matter expertise throughout the recovery process.\nTop of Page\nIntroduction\nAbout the National Archives and Records Administration\nMission\nThe National Archives and Records Administration ensures, for the Citizen and the Public Servant, for the President and the Congress and the Courts, ready access to essential evidence.\nBackground\nNARA, by preserving the nation\'s documentary history, serves as a public trust\non which our democracy depends. It enables citizens to inspect for themselves\nthe record of what the Government has done. It enables officials and agencies\nto review their actions and helps citizens hold them accountable. It ensures\ncontinuing access to essential evidence that documents the rights of American\ncitizens, the actions of Federal officials, and the national experience.\nFederal records reflect and document America\'s development over more than 200 years\'and are great in number, diverse in character, and rich in information. NARA\'s traditional holdings amount to 28.4 million cubic feet of records.  These holdings include architectural/engineering drawings, maps, and charts; moving images and sound recordings; and photographic images.  Additionally, NARA maintains 543,564 artifact items and 10.5 billion logical data records.\nNARA involves millions of people in its public programs, which include exhibitions, tours, educational programs, film series, and genealogical workshops. In FY 2006, NARA hosted 3 million museum visitors while responding to 1.2 million written requests from the public.  In addition, NARA responded to 10 million Federal agency reference requests, 21,367 Federal agency requests for appointments to review records, and provided records management training to 4,234 individuals.  NARA publishes the Federal Register and other legal and reference documents that form a vital link between the Federal Government and those affected by its regulations and actions. Through the National Historical Publications and Records Commission, NARA helps to preserve and publish non-Federal historical documents that also constitute an important part of our national heritage. NARA also administers the Nixon Presidential Materials Project, and 11 Presidential libraries that preserve the papers and other historical materials of all past Presidents since Herbert Hoover.\nResources\nIn FY 2006, NARA was appropriated an annual budget of approximately $338 million and 2,890 Full-time Equivalents (FTEs), which included appropriations of $283 million for operations, $37 million for the Electronic Records Archive (ERA) program, $9.6 million for repairs and restorations of facilities, and $7.5 million for grants. NARA operations are spread throughout 36 facilities nationwide.\nAbout the Office of Inspector General (OIG)\nThe OIG Mission\nThe OIG\'s mission is to ensure that NARA provides the American people with ready access to essential evidence by providing high-quality, objective audits and investigations, and serving as an independent, internal advocate for economy, efficiency, and effectiveness.\nBackground\nThe Inspector General Act of 1978, as amended, established the OIG\'s independent role and general responsibilities. The Inspector General reports to both the Archivist of the United States and the Congress. The OIG evaluates NARA\'s performance, makes recommendations for improvements, and follows up to ensure economical, efficient, and effective operations and compliance with laws, policies, and regulations. In particular, the OIG\nassesses the effectiveness, efficiency, and economy of NARA programs and operations\nrecommends improvements in policies and procedures to enhance operations and correct deficiencies\nrecommends cost savings through greater efficiency and economy of operations, alternative use of resources, and collection actions\ninvestigates and recommends legal and management actions to correct fraud, waste, abuse, or mismanagement\nResources\nThe FY 2006 OIG budget is approximately $2.2 million for operations. The OIG now has 16 FTEs. At full staffing, in addition to the Inspector General and 3 support staff, 7 FTEs are devoted to audits, 4 to investigations, and 1 as counsel to the Inspector General.  During the period, one of two vacant audit positions was filled.  Currently, the OIG is in the process of hiring another auditor to fill the remaining vacant auditor position. The OIG is seeking additional audit and investigative resources to support the work of this office as defined in the FY 2007 and FY 2008 budget submissions to the Archivist.\nTop of Page\nOffice of Inspector General Activities\nInvolvement in the Inspector General Community\nPresident\'s Counsel on Integrity and Efficiency (PCIE) and Executive Counsel on Integrity and Efficiency (ECIE) Legislation Committee. The IG served as one of two ECIE representatives to the Legislation Committee.  The Legislation Committee assists the IG community in effectively carrying out its duties as specified in Executive Order 12085.  In particular, these responsibilities are to identify, review, and discuss areas of weakness and vulnerability in Federal programs; conduct operations to uncover fraud, waste, and abuse; and develop plans for coordinated, Government-wide activities that address these problems and promote economy and efficiency in Federal programs and operations.\nCouncil of Counsels to Inspectors General (CCIG). The OIG counsel participated in meetings of the CCIG and communicated regularly with fellow members.  Multiple topics were raised, discussed, and addressed including independence of inspectors general, control of OIG-generated reports, authority to publish audit reports and respond to Freedom of Information Act requests for Reports of Investigation, and how to appropriately respond to congressional inquiries from either the chairman or ranking committee member.\nFederal Audit Executive Council (FAEC). The Assistant Inspector General for Audits (AIGA) continued to serve as an ECIE representative to the FAEC.   During the period, the AIGA attended FAEC\'s meeting to discuss topics such as financial statement audit issues, revisions to the PCIE External Peer Review Guide, opinion reports on internal controls, and information security.\nPresident\'s Counsel on Integrity and Efficiency and Executive Counsel on\nIntegrity and Efficiency Investigations Advisory Subcommittee. The Assistant\nInspector General for Investigations (AIGI) participated in meetings of the\nInvestigations Advisory Subcommittee and communicated regularly with fellow\nmembers. During the period, numerous topics were raised, discussed, and addressed\nincluding law enforcement officers flying armed, Inspector General Academy training,\nundercover operations policy, peer reviews, and scope of law enforcement authorities.\nResponse to Congressional Items\nFederal Information Security Management Act (FISMA) of 2006. Together with the NARA Chief Information Officer (CIO) and the Senior Agency Official for Privacy (SAOP), the OIG provided the Office of Management and Budget the 2006 Annual Security Review report pursuant to the Federal Information Security Management Act of 2002 (FISMA).  FISMA requires Federal agencies to take a risk-based, cost-effective approach to secure the agency-wide information and systems, identify and resolve IT security control weaknesses, and protect agency resources against future vulnerabilities and threats.  FISMA lays out a framework that is further specified by National Institute of Standards and Technology publications for risk-based controls, testing, and evaluation.  Under this guidance, the Federal Government is able to quantitatively determine IT security control progress and problems.  This information is essential to ensuring that remediation efforts and IT resources are prioritized, properly included in the budget, and result in timely resolution of IT security weaknesses.\nWe noted that many of the control weaknesses noted in Fiscal years\'2004 and 2005 continue to persist as of the Fiscal Year 2006 reporting period.  Most notably, the control weaknesses surrounding 1) updated system security plans; 2) plans of action and milestones for each system and for the agency as a whole; 3) contingency plans and contingency plan testing; 4) configuration policy; 5) annual system testing and evaluation; and 6) failure to complete Privacy Impact assessments for all systems identified as needing one.\nInventory of Commercial Activities. We submitted to OMB our FY 2006 inventory of commercial activities performed by OIG employees.  The Federal Activities Inventory Reform Act of 1998, Pub. L. 105-270 (the FAIR Act), requires Federal agencies to prepare and submit to OMB, by June 30 of each year, inventories of their commercial activities performed by Federal employees.  OMB is required to review each agenc\'s inventory and consult with the agency regarding its content.  Upon completion of the review and consultation, OMB is required to list the available inventories in the Federal Register, and the agency head must transmit a copy of the inventory to the Congress and make it available to the public.  NARA forwarded its FY 2006 inventory to OMB and published it to the NARA website during this reporting period.\nFederal Managers\' Financial Integrity Act (FMFIA). Each year under the Federal Managers\' Financial Integrity Act (FMFIA), the Archivist is required to report to the President on the adequacy and effectiveness of internal controls in NARA\'s programs and administrative activities.  To create this report, the Archivist relies on assurance statements from each NARA office and OIG review.\nThe OIG does not agree with NARA\'s decision to reflect existing material weaknesses identified in the agency\'s Preservation Program and Information Security Program as reportable conditions in NARA\'s FY 2006 FMFIA Assurance Statement letter to the President.  We disagree with the letter because in our view it does not accurately reflect the state of management controls and material risks identified by OIG.\nTop of Page\nAudits\nOverview\nThis period, we issued:\n3 final audit reports\n2 advisory reports\nWe completed fieldwork on the following assignment:\nan audit of high-valued items to determine if management controls are adequate for properly safeguarding specially protected records and artifacts stored in secured stacks, vaults, and safes.\nan audit of Suitability Determination of Contract Employees to assess controls over  contractor employment suitability.\nan audit of NARA\'s Hurricane Katrina Related Mission Assignments to determine the effectiveness and efficiency of the Department of Homeland Security mission assignment process.\nWe also continued work on the following assignments:\nan audit of NARA Enterprise Architecture to determine if NARA has established and is managing its enterprise architecture in accordance with Federal best practices.\na review of the Processing of Records Accessioned into NARA to determine whether established controls provide adequate assurance that archival records transferred to NARA are made available to the public in a timely manner.\nAudit Summaries\nReview of NARA\'s Information Security Program\nThe overall objective of our review was to determine if the National Archives and Record Administration is making satisfactory progress establishing an information security program that includes appropriate controls required by federal legislation.  Specifically, we sought to determine whether or not NARA (a) has up-to-date, documented security policies; (b) has documented procedures and controls to implement the policies; (c) has implemented the security procedures and controls, and reinforced them through training; (d) routinely tests and reviews the adequacy and effectiveness of its procedures and controls; and (e) has successfully integrated the policies, procedures, and controls into a comprehensive security program that is an integral part of its organizational culture.\nOur review revealed that  (a)  NARA\'s network perimeter/firewall security needs improvement; (b) the agency\'s computer network operating system software and electronic message software do not ensure a secure computing environment for the agency\'s computer network users; (c)  NARA officials have not established a 24-hours-per-day/7-days-per-week computer security incident response capability; performed any testing to ensure that the computer incident response team will function in the most efficient and effective manner possible; or conducted post incident activities in accordance with the guidance in National Institute of Standards and Technology Special Publication 800-61, Computer Security Incident Handling Guide, and the NARA Computer Security Incident Handling Guide; (d)  in the area of contingency planning, NARA\'s recovery strategy for quickly and effectively restoring its mission critical IT systems after a severe service disruption or disaster is inadequate; contingency plans were not prepared for two of NARA\'s IT systems; the NH Disaster Recovery Plan was inadequate (i.e., critical information was missing from the plan) and, of 28 mission critical and non-mission critical IT systems reviewed, none had a plan for testing its contingency plan, nor had any testing been accomplished; and (e) improvement is needed in NARA\'s security certification and accreditation process, specifically, the preparation, maintenance, and update of system security plans; preparation of plans of action and milestones; and tasks associated with the continuous monitoring process.\nWe made 12 recommendations that, when implemented by management, will assist the agency in establishing an information security program that meets the Federal Information Security Management Act and the National Institute of Standards and Technology requirements, and will eliminate the need to report information security as a material weakness in the FMFIA report.  Management concurred with two recommendations, partially concurred with two recommendations, and nonconcurred with eight recommendations in the report.  The report is currently being reviewed by the Archivist of the United States. (Audit Report #06-09, dated August 9, 2006.)\nAudit of NARA\'s System Administrator Rights and Controls\nThe Office of the Inspector General (OIG) performed an audit of the NARA\'s system administrator rights and controls.  The audit was designed to determine whether the appropriate controls, oversight, policies, and procedures are implemented over system administrator accounts in order to ensure that NARA\'systems and information are properly secured and reasonably controlled.  System administrator rights and controls exist to ensure that only legitimate system administrators can perform operations critical to controlling rights among other programs and users.\nOur audit revealed that NARA\'s controls over system administrator accounts were weak and needed immediate improvement.  The inadequate controls governing system administrator rights and controls result in increased risk of system degradation due to potential mismanagement, human error, or system compromise by persons seeking to harm NARA\'s servers and infrastructure devices.\nSpecifically, we noted weaknesses governing the removal of previously disabled system administrator accounts; the enforcement of NARA password policies for system administrator passwords; users having root access on some servers; system logs, including the lack of logging, ineffective log parameters, log overwrites, inconsistent log sizes, and logs not backed up or saved; the number of system administrators on servers; the ability of system administrators to create an access control list of users and their rights for review as directed by the NARA Technical Controls IT Handbook; the process of ensuring that system administrators have a user level account in addition to their administrator account; and the policies and procedures governing field sites and the related systems administration.\nWe made nine recommendations to improve NARA\'s system administrator rights and controls and enhance controls over information technology security.  Management agreed with all but two recommendations and initiated corrective action.  (Audit Report #06-11, dated September 27, 2006.)\nEvaluation of NARA\'s Affiliated Archives Program\nNARA\'s affiliated archives, through formal Memorandums of Understanding (MOUs), agree to house, maintain, and service NARA records in accordance with pertinent Federal laws and appropriate NARA regulations and archival and facility standards.  The affiliates are responsible for all costs for establishing and maintaining the records and archival facility.\nThe dual purpose of the audit was to determine whether (1) the Affiliated Archives Program is meeting its intended goal and function, and (2) affiliate archives participants were complying with management controls and ensuring that NARA records were properly accounted for and appropriately secured.\nWhile conducting the review, the auditors determined that while the Affiliated Archives Program is meeting its intended goal and function to a measured degree, opportunities exist to improve upon and expand the program to provide the American public with even greater access to NARA records.  The evaluation also identified that while NARA has improved management oversight over the Affiliated Archives Program, opportunities exist to strengthen internal controls to ensure that records are protected from damage and loss.  Specifically, the review disclosed two critical conditions that adversely impacted the program.\nOutdated MOUs govern the relationships between NARA and the respective affiliates.  Individual affiliates are held to inconsistent requirements and standards for housing and maintaining holdings.\nWith the exception of one of the existing eight affiliated archives, all failed to meet the current NARA Archival Storage Standards.\nTo address the discovered conditions, the report contained six recommendations that, upon adoption, will help ensure that NARA records are protected while improving access through additional partnerships.  Management concurred with all but one recommendation and began corrective action.  (Audit Report #06-10, dated August 9, 2006.)\nOIG Monitoring of the Novell Netware/GroupWise Upgrade Project\nThe purpose of this effort was to advise the Archivist of the status of the Novell NetWare/GroupWise Upgrade Project.  Specifically, we assessed whether the project was meeting cost and schedule requirements, and management was taking timely action to correct any actual or potential problems with project performance.\nOur monitoring effort consisted of reviewing applicable project documentation, including the Daily Summary Reports, Weekly Status Reports, Work Breakdown Structure, and Implementation Schedule.  We also reviewed the NetWare/GroupWise 2006 Product Plan; NetWare 6.5 Upgrade Project Plan, Information Technology Support Services (ITSS) contract modification no. 25, Software Upgrade, dated April 27, 2006; and the Technical Direction Letter no. FY05-TDL-04: Completion of the NetWare/GroupWise Upgrade Project, dated May 25, 2005.\nWe reported that the Novell NetWare/GroupWise Upgrade Project was proceeding on schedule.  In fact, the migration effort at the NARA facilities was scheduled to be completed in less time than originally scheduled.  According to ITSS contract modification no. 25, the effort was scheduled to begin on March 6, 2006, and be completed on October 31, 2006.  Subsequently, the scheduled completion date was changed to October 27, 2006, a reduction of four days.\nIn addition, it was our opinion that the upgrade project had encountered no major problems with performance or technical issues.  As of June 13, 2006, there were three unresolved issues that were being addressed by project personnel.  Because the report was advisory in nature, we made no recommendations for corrective action.  (Advisory Report # 06-14, dated June 20, 2006.)\nOIG Monitoring of the Novell Netware/GroupWise Upgrade Project (2nd Report)\nThe purpose of this effort was to advise the Archivist of the status of the Novell NetWare/GroupWise Upgrade Project.  Specifically, we assessed whether the project was meeting cost and schedule requirements, and management was taking timely action to correct any actual or potential problems with project performance.\nOur monitoring effort consisted of reviewing applicable project documentation, including the Daily Summary Reports, Weekly Status Reports, Work Breakdown Structure, and Implementation Schedule.  We also reviewed the NetWare/GroupWise 2006 Product Plan; NetWare 6.5 Upgrade Project Plan, Information Technology Support Services (ITSS) contract modification no. 25, Software Upgrade, dated April 27, 2006; and the Technical Direction Letter no. FY05-TDL-04: Completion of the NetWare/GroupWise Upgrade Project, dated May 25, 2005.\nIn this second advisory report informing the Archivist of the status of the Novell NetWare/GroupWise Upgrade Project, we reported that, based on efforts expended by NARA and contractor personnel to upgrade NARA\'s computer network operating system and electronic mail software, the project continued to progress in a satisfactory manner.  In fact, it appeared that the project, which had encountered no major technical problems, would be completed ahead of the scheduled completion date of October 31, 2006.  Efforts were underway at the last two NARA facilities, Archives I and St. Louis (Military Personnel Records), to upgrade the Novell software.\nWe also reported that that upgrading the operating system and electronic mail software to version 6.5 constituted only an interim measure for solving the agency\'s operating system and electronic mail software problems.  It is believed that the Novell Corporation will continue to support the Netware operating system software, version 6.5, only until 2008.  At that point, NARA will find itself in the same position that it is currently working to get out of, that is, running obsolete network software.  As a result, planning for the next software upgrade is critical and should begin as soon as the current upgrade project is completed.  Because the report was advisory in nature, we made no recommendations for corrective action.  (Advisory Report # 06-15, dated September 11, 2006.)\nTop of Page\nInvestigations\nClosed Investigation Highlights\nPossession of Illicit Drugs and a Firearm at Archives I\nIn February 2006, an anonymous complainant reported that a contract employee\nwas holding illegal drugs and a firearm in a locker at the National Archives\nBuilding. A lawful search of the locker resulted in the discovery of two plastic\nbaggies of marijuana within a camouflage jacket known to be worn by the contract\nemployee. Several documents containing the contractor\'s name and Social Security\nNumber were also found in the locker. No firearms or ammunition were discovered\nduring the search. The contract employee was immediately deemed unsuitable,\nremoved from the contract and barred from the facility. The DC U.S. Attorney\'s\nOffice declined prosecution.\nA NARA Employee and a Security Guard at FDR Presidential Library Engaged in Inappropriate Conduct at the Library During Work Hours\nIn April 2006, interviews of contract guards at NLFDR concerning a different investigation, suggested a NLFDR employee had sexual contact with a contract guard on multiple occasions during duty hours in the NLFDR auditorium.  The investigation substantiated that the NLFDR employee did have sexual contact with the contract guard in the library one or two times per week from approximately April 2004 to October 2005.  The NLFDR employee subsequently resigned her position in lieu of potential termination.  The contract guard was deemed unsuitable and removed from the contract.\nCompromise of Classified Material\nIn March 2006, the Office of Inspector General was notified that a NARA employee had received a classified e-mail attachment via an unsecured NARA e-mail production server.  The investigation established that an Executive Office of the President employee unknowingly sent a classified e-mail attachment to the NARA employee resulting in it subsequently being stored on an unsecured NARA e-mail production server located at AII.  The classified information was immediately recognized and deleted from the NARA user\'s e-mail account.  Any potential remnants of e-mail were subsequently deleted from the production server without any apparent compromise.\nInvestigation Updates\nMishandling and Improper Investigation of a Theft of Classified Documents\nIn the first quarter of FY 2006, an investigation concerning the mishandling and improper investigation relating to the viewing and theft of classified documents by former National Security Advisor Samuel R. Berger was completed and referred to the U.S. Department of Justice and the U.S. Archivist for action.  The Department of Justice declined prosecution in lieu of administrative action.  The investigation determined that Berger was provided highly classified materials in an unauthorized setting on multiple occasions, and that NARA failed to report the theft of the classified materials to the OIG or any other law enforcement entity before conducting an improper investigation of the incident.  Previously, Berger was charged with one count of 18 U.S.C. \xc2\xa7 1924: Unauthorized Removal and Retention of Classified Material, a Class A Misdemeanor, and sentenced to 2 years\'probation, 100 hours community service, a $50,000 fine, and no access to classified information for a period of 3 years\'. Update:  In June 2006, the Archivist acted to take internal administrative actions in response to the OIG report of investigation.\nThreat Against NARA Employees\nIn May 2005, a NARA employee threatened the lives of two co-workers with a box cutter.  In June 2005, the individual was removed from employment.  This case is being prosecuted by the State of Missouri.  The Office of Investigations is working with the Department of Homeland Security, Federal Protective Service.  In August 2005, the individual entered a plea of not guilty.  In December 2005, the employee again entered a plea of not guilty.  Update:  In June 2006, the subject received a sentence of five years\'probation with a suspended imposition of sentence (deferred adjudication).\nCompromise of CMRS and PERL Servers\nThe National Archives and Records Administration Intrusion Detection System\nreported an attempt by a remote computer to exploit a known Windows vulnerability\nto upload an exploit to the Case Management Reporting System (CMRS-02) server.\nSubsequently, the entire CMRS network was affected by the exploit. The investigation\nshowed that both the CMRS-02 server and the Presidential Electronic Records\nLibrary (PERL) server named "WJC-CDSS" were compromised. The exploit\ngave the intruders full administrative rights and access to both of these servers\nand to the 11 computer workstations that were also compromised in this attack.\nAlthough direct evidence of data exfiltration from either server was not found,\nthe level of access granted to the intruders and the trust relationships between\nthe compromised servers and computers allowed circumvention of internal controls\nso that proprietary data exfiltration cannot be definitively ruled out. Update:\nThis case is pending a prosecutive decision.\nOIG HOTLINE\nThe OIG Hotline provides a prompt, effective, and confidential channel for reporting fraud, waste, abuse, and mismanagement to the OIG. In addition to receiving telephone calls at a toll-free Hotline number and letters to the Hotline post office box, we also accept email communication from NARA\'s internal network or the Internet through the Hotline email system.  Walk-ins are always welcome.\nThe Investigative Division promptly and carefully reviews calls, letters, and e-mail to the Hotline. We investigate allegations of suspected criminal activity or civil fraud and conduct preliminary inquiries on noncriminal matters to determine the proper disposition. Where appropriate, referrals are made to the OIG Audit Staff or to NARA management.\nThe following table summarizes Hotline activity for this reporting period:\nCases Opened*\n19\nReferred Outside the OIG\n82\nClosed to File\n41\nClosed from Last Reporting Period\n17\nPending\n20\nTOTAL HOTLINE CONTACTS\n162\n*Cases included in investigative workload statistics.\nTop of Page\nTop Ten Management Challenges\nUnder the authority of the Inspector General Act, the NARA OIG conducts and supervises independent audits, investigations, and other reviews to promote economy, efficiency, and effectiveness and prevent and detect fraud, waste, and mismanagement.  To fulfill that mission and help NARA achieve its strategic goals, we have aligned our programs to focus on areas that we believe represent the agency\xe2\x80\x99s most significant challenges.  We have identified those areas as NARA\'s top ten management challenges.  These challenges are listed below.\n1. Electronic Records Archives (ERA)\nNARA\'s challenge is to build a system that will accommodate past, present, and future formats of electronic records. By September 2007, NARA plans to have initial operating capability for ERA with planned incremental improvements that will eventually result in full system capability. The challenge will be to deliver and maintain a functional ERA system that will preserve electronic records for as long as needed.\n2. Electronic Records Management (ERM)\nNARA directs the Electronic Records Management (ERM) initiative, one of 24 Government-wide initiatives. The ERM initiative will provide guidance to agencies in managing and transferring to NARA, in an increasing variety of data types and formats, their permanent electronic records.  NARA and its Government partners are challenged with determining how to manage electronic records, and how to make ERM and e-Government work more effectively.\n3. Improving Records Management\nNARA\'s mission is to ensure that Federal officials and the American public have ready access to essential evidence.  NARA must work with Federal agencies to make scheduling, appraisal, and accessioning processes more effective and timely. The challenge is how best to accomplish this component of our overall mission and identify and react to agencies with critical records management needs.\n4. Information Technology Security\nThe authenticity and reliability of our electronic records and information technology systems are only as good as our IT security infrastructure. Each year, the risks and challenges to IT security continue to evolve. NARA must ensure the security of its data and systems or risk undermining the agency\'s credibility and ability to carry out its mission.\n5. Expanding Public Access to Records\nIn a democracy, the records of its archives belong to its citizens. NARA\'s challenge is to more aggressively inform and educate our customers about the services we offer and the essential evidence to which we can provide access.  Of critical importance is NARA\'s role in ensuring the timeliness and integrity of the process of declassifying classified material held at NARA.\n6. Meeting Storage Needs of Growing Quantities of Records\nNARA-promulgated regulation 36 CFR Part 1228, "Disposition of Federal\nRecords," Subpart K, "Facility Standards for Records Storage Facilities,"\nrequires all facilities that house Federal records to meet defined physical\nand environmental requirements by FY 2009. NARA\'s challenge is to ensure compliance\nwith these regulations internally as well as by other agencies that house Federal\nrecords.\n7. Preservation Needs of Records\nThe Archivist has identified preservation as a material weakness under the\nFederal Managers\' Financial Integrity Act (FMFIA) reporting process. NARA cannot\nprovide public access to records to support researchers needs unless it can\npreserve them for as long as needed. As in the case of our national infrastructure\n(bridges, sewer systems, etc.), NARA holdings grow older daily and are degrading.\nNARA is challenged to address this condition and related challenges.\n8. Improving Financial Management\nBy inclusion under the Accountability of Tax Dollars Act of 2002, NARA is required to prepare audited financial statements in compliance with prescribed standards, subject to independent audit.  NARA\'s challenge is to present timely, accurate, and useful financial information for making day-to-day operating decisions; supporting results-oriented management approaches; and ensuring accountability on an ongoing basis.\n9. Physical Security\nThe Archivist has identified security of collections as a material weakness\nunder the FMFIA reporting process. NARA must maintain adequate levels of security\nto ensure the safety and integrity of persons and holdings within our facilities.\nThis is especially critical in light of the new realities that face this nation,\npost-September 11, and the risks that our holdings may be pilfered, defaced,\nor destroyed by fire or other natural disasters.\n10. Strengthening Human Capital\nThe GAO has identified human capital as a Government-wide high risk.  NARA\'s challenge is to adequately assess its human capital needs in order to effectively recruit, retain, and train people with the technological understanding and content knowledge that NARA needs for future success.\nTop of Page\nReporting Requirements\nSTATISTICAL SUMMARY OF\nINVESTIGATIONS\nInvestigative Workload\nComplaints received this reporting period\n162\nCases pending at the beginning of the reporting period\n26\nCases opened this reporting period\n20\nCases closed this reporting\nperiod\n10\nCases carried forward this reporting\nperiod\n36\nCategories of Closed\nInvestigations\nFraud\n0\nConflict of Interest\n0\nContracting Irregularities\n0\nMisconduct\n1\nLarceny (theft)\n2\nTorts\n0\nOther\n3\nInvestigative Results\nCases referred - Accepted for prosecution\n0\nCases referred - Declined for prosecution\n2\nCases referred - Pending prosecutive decision\n1\nArrests\n0\nIndictments and informations\n0\nConvictions\n1\nFines, restitutions, and other civil and administrative recoveries\n0\nNARA holdings recovered\n12\nAdministrative Remedies\nEmployee(s) terminated\n1\nEmployee(s) resigned in lieu of termination\n1\nEmployee(s) suspended\n0\nEmployee(s) given letter of reprimand/warned/counseled\n4\nEmployees taking a reduction in grade in lieu of administrative action\n0\nContractor (s) removed\n3\nRequirement 5(a)(6)LIST OF REPORTS ISSUED\nReport No.\nTitle\nDate\nQuestioned Costs\nUn-supported Costs\nFunds Put to Better Use\n06-09\nReview of NARA\'s Information Security Program\n08/09/2006\n0\n0\n0\n06-10\nEvaluation of NARA\'s Affiliated Archives Program\n08/09/2006\n0\n0\n0\n06-11\nAudit of NARA\'s System Administrator Rights and Controls\n09/27/2006\n0\n0\n0\n06-14\nOIG Monitoring of the Novell Netware/GroupWise Upgrade Project\n06/20/2006\n0\n0\n0\n06-15\nOIG Monitoring of the Novell Netware/GroupWise Upgrade Project (2nd Report)\n09/11/2006\n0\n0\n0\nAUDIT REPORT(S) WITH QUESTIONED COSTS\nCategory\nNumber of\nReports\nDOLLAR VALUE\nQuestionedCosts\nUnsupportedCosts\nA. For which no management decision has been\nmade by the commencement of the reporting period\n1\n$236,335\n$0\nB. Which were issued during the reporting\nperiod\n$0\n$0\n$0\nSubtotals (A + B)\n1\n$236,335\n$0\nC. For which a management decision has been\nmade during the reporting period\n0\n$0\n$0\n(i) dollar value of disallowed\ncost\n0\n$0\n$0\n(ii) dollar value of costs not\ndisallowed\n0\n$0\n$0\nD. For which no management decision has been\nmade by the end of the reporting period\n1\n$236,335\n$0\nE. For which no management decision was made\nwithin 6 months\n1\n$236,335\n$0\nRequirement 5(a)(9)\nAUDITS REPORTS WITH RECOMMENDATIONS THAT FUNDS BE PUT TO BETTER USE\nCATEGORY\nNUMBER\nDOLLAR VALUE\nA. For which no management decision has been made\nby the commencement of the reporting period\n0\n$0\nB. Which were issued during the reporting\nperiod\n0\n0\nSubtotals (A + B)\n0\n0\nC. For which a management decision has been made\nduring the reporting period\n0\n0\n(i) dollar value of recommendations that were\nagreed to by management\n0\n0\nBased on proposed management\naction\n0\n0\nBased on proposed legislative\naction\n0\n0\n(ii) dollar value of recommendations that were not\nagreed to by management\n0\n0\nD. For which no management decision has been made\nby the end of the reporting period\n0\n0\nE. For which no management decision was made\nwithin 6 months of issuance\n0\n0\nsecutor\nREQUIREMENT\nCATEGORY\nSUMMARY\n5(a)(3)\nPrior significant recommendations\nunimplemented\nNone\n5(a)(4)\nSummary of proial referrals\nNone\n5(a)(5)\nInformation or assistance refused\nNone\n5(a)(10)\nPrior audit reports unresolved\nNone\n5(a)(11)\nSignificant revised management decisions\nNone\n5(a)(12)\nSignificant revised management decisions with\nwhich the OIG disagreed\nNone\nTop of Page\nPDF files require the free Adobe Reader.\nMore information on Adobe Acrobat PDF files is available on our Accessibility page.\nOffice of the Inspector General (OIG) >\nConnect With Us\nBlogs\nFacebook\nFlickr\nRSS Feeds\nTwitter\nYouTube\nMore...\nInformation For\xe2\x80\xa6\nCitizen Archivists\nFederal Employees\nGenealogists\nMembers of Congress\nPreservation\nRecords Managers\nThe Press\nPublications\nFederal Register\nFree Publications\nPrologue Magazine\nPurchase Publications\nMore\xe2\x80\xa6\nOrgs & Offices\nCenter for Legislative Archives\nFederal Records Center\nOffice of the Inspector General\nPresidential Libraries\nMore\xe2\x80\xa6\nAbout Us\nWhat is the National Archives?\nDoing Business with Us\nPlans and Reports\nOpen Government\nOur Plain Language Activities\nI  Want To...\nGet My Military Record\nPlan a Research Visit\nVisit the Museum\nView Online Exhibits\nApply for a Grant\nParticipate\nAttend an Event\nDonate to the Archives\nWork at the Archives\nVolunteer at the Archives\nResources\nA-Z Index\nAmerica\'s Founding Docs\nContact Us\nEn Espa\xc3\xb1ol\nFAQs\nForms\nContact Us\nAccessibility\nPrivacy Policy\nFreedom of Information Act\nNo FEAR Act\nUSA.gov\nThe U.S. National Archives and Records Administration\n1-86-NARA-NARA or 1-866-272-6272\n.'